|Topic:||SQL injections when importing outcomes|
|Versions affected:||< 1.9.5|
|Reported by:||internal review|
|Solution:||upgrade to 1.9.5|
When reviewing the import outcomes code, it was discovered that incorrect coding allowed SQL injections. By default only trusted users are allowed to use this part of gradebook. It can not be exploited by students.